├── .gitattributes ├── .gitignore ├── AltSyscallClient ├── AltSyscallClient.c ├── AltSyscallClient.sln ├── AltSyscallClient.vcxproj └── AltSyscallClient.vcxproj.filters ├── AltSyscallDriver ├── AltSyscall.c ├── AltSyscall.h ├── AltSyscallDriver.inf ├── AltSyscallDriver.sln ├── AltSyscallDriver.vcxproj └── AltSyscallDriver.vcxproj.filters ├── README.md └── images ├── PspEnableAltSystemCallHandling.png ├── gsod.png └── poc.jpg /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Build results 17 | [Dd]ebug/ 18 | [Dd]ebugPublic/ 19 | [Rr]elease/ 20 | [Rr]eleases/ 21 | x64/ 22 | x86/ 23 | [Aa][Rr][Mm]/ 24 | [Aa][Rr][Mm]64/ 25 | bld/ 26 | [Bb]in/ 27 | [Oo]bj/ 28 | [Ll]og/ 29 | 30 | # Visual Studio 2015/2017 cache/options directory 31 | .vs/ 32 | # Uncomment if you have tasks that create the project's static files in wwwroot 33 | #wwwroot/ 34 | 35 | # Visual Studio 2017 auto generated files 36 | Generated\ Files/ 37 | 38 | # MSTest test Results 39 | [Tt]est[Rr]esult*/ 40 | [Bb]uild[Ll]og.* 41 | 42 | # NUNIT 43 | *.VisualState.xml 44 | TestResult.xml 45 | 46 | # Build Results of an ATL Project 47 | [Dd]ebugPS/ 48 | [Rr]eleasePS/ 49 | dlldata.c 50 | 51 | # Benchmark Results 52 | BenchmarkDotNet.Artifacts/ 53 | 54 | # .NET Core 55 | project.lock.json 56 | project.fragment.lock.json 57 | artifacts/ 58 | 59 | # StyleCop 60 | StyleCopReport.xml 61 | 62 | # Files built by Visual Studio 63 | *_i.c 64 | *_p.c 65 | *_h.h 66 | *.ilk 67 | *.meta 68 | *.obj 69 | *.iobj 70 | *.pch 71 | *.pdb 72 | *.ipdb 73 | *.pgc 74 | *.pgd 75 | *.rsp 76 | *.sbr 77 | *.tlb 78 | *.tli 79 | *.tlh 80 | *.tmp 81 | *.tmp_proj 82 | *_wpftmp.csproj 83 | *.log 84 | *.vspscc 85 | *.vssscc 86 | .builds 87 | *.pidb 88 | *.svclog 89 | *.scc 90 | 91 | # Chutzpah Test files 92 | _Chutzpah* 93 | 94 | # Visual C++ cache files 95 | ipch/ 96 | *.aps 97 | *.ncb 98 | *.opendb 99 | *.opensdf 100 | *.sdf 101 | *.cachefile 102 | *.VC.db 103 | *.VC.VC.opendb 104 | 105 | # Visual Studio profiler 106 | *.psess 107 | *.vsp 108 | *.vspx 109 | *.sap 110 | 111 | # Visual Studio Trace Files 112 | *.e2e 113 | 114 | # TFS 2012 Local Workspace 115 | $tf/ 116 | 117 | # Guidance Automation Toolkit 118 | *.gpState 119 | 120 | # ReSharper is a .NET coding add-in 121 | _ReSharper*/ 122 | *.[Rr]e[Ss]harper 123 | *.DotSettings.user 124 | 125 | # JustCode is a .NET coding add-in 126 | .JustCode 127 | 128 | # TeamCity is a build add-in 129 | _TeamCity* 130 | 131 | # DotCover is a Code Coverage Tool 132 | *.dotCover 133 | 134 | # AxoCover is a Code Coverage Tool 135 | .axoCover/* 136 | !.axoCover/settings.json 137 | 138 | # Visual Studio code coverage results 139 | *.coverage 140 | *.coveragexml 141 | 142 | # NCrunch 143 | _NCrunch_* 144 | .*crunch*.local.xml 145 | nCrunchTemp_* 146 | 147 | # MightyMoose 148 | *.mm.* 149 | AutoTest.Net/ 150 | 151 | # Web workbench (sass) 152 | .sass-cache/ 153 | 154 | # Installshield output folder 155 | [Ee]xpress/ 156 | 157 | # DocProject is a documentation generator add-in 158 | DocProject/buildhelp/ 159 | DocProject/Help/*.HxT 160 | DocProject/Help/*.HxC 161 | DocProject/Help/*.hhc 162 | DocProject/Help/*.hhk 163 | DocProject/Help/*.hhp 164 | DocProject/Help/Html2 165 | DocProject/Help/html 166 | 167 | # Click-Once directory 168 | publish/ 169 | 170 | # Publish Web Output 171 | *.[Pp]ublish.xml 172 | *.azurePubxml 173 | # Note: Comment the next line if you want to checkin your web deploy settings, 174 | # but database connection strings (with potential passwords) will be unencrypted 175 | *.pubxml 176 | *.publishproj 177 | 178 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 179 | # checkin your Azure Web App publish settings, but sensitive information contained 180 | # in these scripts will be unencrypted 181 | PublishScripts/ 182 | 183 | # NuGet Packages 184 | *.nupkg 185 | # The packages folder can be ignored because of Package Restore 186 | **/[Pp]ackages/* 187 | # except build/, which is used as an MSBuild target. 188 | !**/[Pp]ackages/build/ 189 | # Uncomment if necessary however generally it will be regenerated when needed 190 | #!**/[Pp]ackages/repositories.config 191 | # NuGet v3's project.json files produces more ignorable files 192 | *.nuget.props 193 | *.nuget.targets 194 | 195 | # Microsoft Azure Build Output 196 | csx/ 197 | *.build.csdef 198 | 199 | # Microsoft Azure Emulator 200 | ecf/ 201 | rcf/ 202 | 203 | # Windows Store app package directories and files 204 | AppPackages/ 205 | BundleArtifacts/ 206 | Package.StoreAssociation.xml 207 | _pkginfo.txt 208 | *.appx 209 | 210 | # Visual Studio cache files 211 | # files ending in .cache can be ignored 212 | *.[Cc]ache 213 | # but keep track of directories ending in .cache 214 | !?*.[Cc]ache/ 215 | 216 | # Others 217 | ClientBin/ 218 | ~$* 219 | *~ 220 | *.dbmdl 221 | *.dbproj.schemaview 222 | *.jfm 223 | *.pfx 224 | *.publishsettings 225 | orleans.codegen.cs 226 | 227 | # Including strong name files can present a security risk 228 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 229 | #*.snk 230 | 231 | # Since there are multiple workflows, uncomment next line to ignore bower_components 232 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 233 | #bower_components/ 234 | 235 | # RIA/Silverlight projects 236 | Generated_Code/ 237 | 238 | # Backup & report files from converting an old project file 239 | # to a newer Visual Studio version. Backup files are not needed, 240 | # because we have git ;-) 241 | _UpgradeReport_Files/ 242 | Backup*/ 243 | UpgradeLog*.XML 244 | UpgradeLog*.htm 245 | ServiceFabricBackup/ 246 | *.rptproj.bak 247 | 248 | # SQL Server files 249 | *.mdf 250 | *.ldf 251 | *.ndf 252 | 253 | # Business Intelligence projects 254 | *.rdl.data 255 | *.bim.layout 256 | *.bim_*.settings 257 | *.rptproj.rsuser 258 | *- Backup*.rdl 259 | 260 | # Microsoft Fakes 261 | FakesAssemblies/ 262 | 263 | # GhostDoc plugin setting file 264 | *.GhostDoc.xml 265 | 266 | # Node.js Tools for Visual Studio 267 | .ntvs_analysis.dat 268 | node_modules/ 269 | 270 | # Visual Studio 6 build log 271 | *.plg 272 | 273 | # Visual Studio 6 workspace options file 274 | *.opt 275 | 276 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 277 | *.vbw 278 | 279 | # Visual Studio LightSwitch build output 280 | **/*.HTMLClient/GeneratedArtifacts 281 | **/*.DesktopClient/GeneratedArtifacts 282 | **/*.DesktopClient/ModelManifest.xml 283 | **/*.Server/GeneratedArtifacts 284 | **/*.Server/ModelManifest.xml 285 | _Pvt_Extensions 286 | 287 | # Paket dependency manager 288 | .paket/paket.exe 289 | paket-files/ 290 | 291 | # FAKE - F# Make 292 | .fake/ 293 | 294 | # JetBrains Rider 295 | .idea/ 296 | *.sln.iml 297 | 298 | # CodeRush personal settings 299 | .cr/personal 300 | 301 | # Python Tools for Visual Studio (PTVS) 302 | __pycache__/ 303 | *.pyc 304 | 305 | # Cake - Uncomment if you are using it 306 | # tools/** 307 | # !tools/packages.config 308 | 309 | # Tabs Studio 310 | *.tss 311 | 312 | # Telerik's JustMock configuration file 313 | *.jmconfig 314 | 315 | # BizTalk build output 316 | *.btp.cs 317 | *.btm.cs 318 | *.odx.cs 319 | *.xsd.cs 320 | 321 | # OpenCover UI analysis results 322 | OpenCover/ 323 | 324 | # Azure Stream Analytics local run output 325 | ASALocalRun/ 326 | 327 | # MSBuild Binary and Structured Log 328 | *.binlog 329 | 330 | # NVidia Nsight GPU debugger configuration file 331 | *.nvuser 332 | 333 | # MFractors (Xamarin productivity tool) working folder 334 | .mfractor/ 335 | 336 | # Local History for Visual Studio 337 | .localhistory/ 338 | 339 | # BeatPulse healthcheck temp database 340 | healthchecksdb -------------------------------------------------------------------------------- /AltSyscallClient/AltSyscallClient.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include 8 | 9 | #define ALTSYSCALL_SERVICE_NAMEW L"AltSyscallSvc" 10 | #define ALTSYSCALL_DEVICE_NAMEW L"\\\\.\\AltSyscall" 11 | #define ALTSYSCALL_SERVICE_INSTALL 0 12 | #define ALTSYSCALL_SERVICE_UNINSTALL 1 13 | #define ALTSYSCALL_MONITOR_IOCTL IOCTL_ALT_SYSCALL_DRIVER 14 | 15 | 16 | _Success_(return == TRUE) 17 | BOOLEAN 18 | InstallDriver( 19 | _In_ SC_HANDLE hSCManager, 20 | _In_ LPCTSTR ServiceName, 21 | _In_ LPCTSTR DriverPath 22 | ) 23 | { 24 | SC_HANDLE schService; 25 | DWORD errCode; 26 | 27 | schService = CreateService(hSCManager, 28 | ServiceName, 29 | ServiceName, 30 | SERVICE_ALL_ACCESS, 31 | SERVICE_KERNEL_DRIVER, 32 | SERVICE_DEMAND_START, 33 | SERVICE_ERROR_NORMAL, 34 | DriverPath, 35 | NULL, 36 | NULL, 37 | NULL, 38 | NULL, 39 | NULL); 40 | if (NULL == schService) { 41 | errCode = GetLastError(); 42 | 43 | if (ERROR_SERVICE_EXISTS == errCode) { 44 | fprintf(stderr, "[AltSyscallClient] Service already exists\n"); 45 | 46 | return TRUE; 47 | } else { 48 | fprintf(stderr, "[AltSyscallClient] Failed creating service: %#x\n", errCode); 49 | 50 | return FALSE; 51 | } 52 | } else { 53 | CloseServiceHandle(schService); 54 | 55 | fprintf(stdout, "[AltSyscallClient] Service %S was successfully created\n", ServiceName); 56 | 57 | return TRUE; 58 | } 59 | } 60 | 61 | _Success_(return == TRUE) 62 | BOOLEAN 63 | UninstallDriver( 64 | _In_ SC_HANDLE hSCManager, 65 | _In_ LPCTSTR ServiceName 66 | ) 67 | { 68 | SC_HANDLE schService; 69 | BOOLEAN bRetStatus = FALSE; 70 | 71 | schService = OpenService(hSCManager, 72 | ServiceName, 73 | SERVICE_ALL_ACCESS); 74 | if (NULL == schService) { 75 | fprintf(stderr, "[AltSyscallClient] Failed opening the service: %#X\n", GetLastError()); 76 | 77 | return bRetStatus; 78 | } 79 | 80 | if (DeleteService(schService)) { 81 | bRetStatus = TRUE; 82 | 83 | fprintf(stdout, "[AltSyscallClient] Service %S was successfully deleted\n", ServiceName); 84 | } else { 85 | fprintf(stderr, "[AltSyscallClient] Failed deleting the service: %#X\n", GetLastError()); 86 | } 87 | 88 | CloseServiceHandle(schService); 89 | 90 | return bRetStatus; 91 | } 92 | 93 | _Success_(return == TRUE) 94 | BOOLEAN 95 | StartDriver( 96 | _In_ SC_HANDLE hSCManager, 97 | _In_ LPCTSTR ServiceName 98 | ) 99 | { 100 | SC_HANDLE schService; 101 | DWORD errCode; 102 | BOOLEAN bRetStatus = FALSE; 103 | 104 | schService = OpenService(hSCManager, 105 | ServiceName, 106 | SERVICE_ALL_ACCESS); 107 | if (NULL == schService) { 108 | fprintf(stderr, "[AltSyscallClient] Failed opening the service: %#X\n", GetLastError()); 109 | 110 | return bRetStatus; 111 | } 112 | 113 | if (!StartService(schService, 114 | 0, 115 | NULL)) { 116 | errCode = GetLastError(); 117 | 118 | if (ERROR_SERVICE_ALREADY_RUNNING == errCode) { 119 | bRetStatus = TRUE; 120 | 121 | fprintf(stdout, "[AltSyscallClient] Service %S already running\n", ServiceName); 122 | } else { 123 | fprintf(stderr, "[AltSyscallClient] Failed starting the service: %#X\n", errCode); 124 | } 125 | } else { 126 | bRetStatus = TRUE; 127 | 128 | fprintf(stdout, "[AltSyscallClient] Service %S was successfully started\n", ServiceName); 129 | } 130 | 131 | CloseServiceHandle(schService); 132 | 133 | return bRetStatus; 134 | } 135 | 136 | _Success_(return == TRUE) 137 | BOOLEAN 138 | StopDriver( 139 | _In_ SC_HANDLE hSCManager, 140 | _In_ LPCTSTR ServiceName 141 | ) 142 | { 143 | SC_HANDLE schService; 144 | SERVICE_STATUS serviceStatus; 145 | BOOLEAN bRetStatus = FALSE; 146 | 147 | schService = OpenService(hSCManager, 148 | ServiceName, 149 | SERVICE_ALL_ACCESS); 150 | if (NULL == schService) { 151 | fprintf(stderr, "[AltSyscallClient] Failed opening the service: %#X\n", GetLastError()); 152 | 153 | return bRetStatus; 154 | } 155 | 156 | if (ControlService(schService, 157 | SERVICE_CONTROL_STOP, 158 | &serviceStatus)) { 159 | bRetStatus = TRUE; 160 | 161 | fprintf(stdout, "[AltSyscallClient] Service %S was successfully stopped\n", ServiceName); 162 | } else { 163 | fprintf(stderr, "[AltSyscallClient] Failed stopping the service: %#X\n", GetLastError()); 164 | } 165 | 166 | CloseServiceHandle(schService); 167 | 168 | return bRetStatus; 169 | } 170 | 171 | _Success_(return == TRUE) 172 | BOOLEAN 173 | ManageDriver( 174 | _In_ LPCTSTR DriverPath, 175 | _In_ LPCTSTR ServiceName, 176 | _In_ SIZE_T Action 177 | ) 178 | { 179 | SC_HANDLE schSCManager; 180 | BOOLEAN bRetVal = TRUE; 181 | 182 | if (NULL == DriverPath || NULL == ServiceName) { 183 | fprintf(stderr, "[AltSyscallClient] Invalid driver name or service name\n"); 184 | 185 | return FALSE; 186 | } 187 | 188 | schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); 189 | if (NULL == schSCManager) { 190 | fprintf(stderr, "[AltSyscallClient] Failed opening a connection to SCM: %#X\n", GetLastError()); 191 | 192 | return FALSE; 193 | } 194 | 195 | switch (Action) { 196 | case ALTSYSCALL_SERVICE_INSTALL: 197 | if (InstallDriver(schSCManager, ServiceName, DriverPath)) { 198 | bRetVal = StartDriver(schSCManager, ServiceName); 199 | } else { 200 | bRetVal = FALSE; 201 | } 202 | 203 | break; 204 | case ALTSYSCALL_SERVICE_UNINSTALL: 205 | if (StopDriver(schSCManager, ServiceName)) { 206 | bRetVal = UninstallDriver(schSCManager, ServiceName); 207 | } else { 208 | bRetVal = FALSE; 209 | } 210 | 211 | break; 212 | default: 213 | fprintf(stderr, "[AltSyscallClient] Unknown action: %zu\n", Action); 214 | 215 | bRetVal = FALSE; 216 | 217 | break; 218 | } 219 | 220 | if (CloseServiceHandle(schSCManager) == 0) { 221 | fprintf(stderr, "[AltSyscallClient] Failed closing SCM: %#X\n", GetLastError()); 222 | } 223 | 224 | return bRetVal; 225 | } 226 | 227 | int __cdecl main(int argc, char *argv[]) 228 | { 229 | DWORD retCode = EXIT_SUCCESS; 230 | DWORD dwBufferLength = 0; 231 | DWORD dwPid = 0; 232 | DWORD dwBytesReturned; 233 | errno_t intErrNo; 234 | LPWSTR lpBuffer = NULL; 235 | LPCWSTR lpDriverName = DRIVER_NAME; 236 | HANDLE hDevice; 237 | BOOL bRet; 238 | HANDLE pid; 239 | 240 | if (argc > 1) { 241 | if (_strnicmp(argv[1], "load", strlen("load")) == 0) { 242 | dwBufferLength = GetCurrentDirectory(dwBufferLength, lpBuffer); 243 | if (!dwBufferLength) { 244 | retCode = GetLastError(); 245 | fwprintf(stderr, L"Failed to query current directory length: %08X\n", retCode); 246 | 247 | return retCode; 248 | } else { 249 | lpBuffer = calloc(dwBufferLength + wcslen(lpDriverName) + 2, sizeof(WCHAR)); // + 2: 1 for \ and 1 for NULL 250 | if (NULL == lpBuffer) { 251 | retCode = GetLastError(); 252 | fwprintf(stderr, L"Failed allocating a buffer for current directory: %08X\n", retCode); 253 | 254 | return retCode; 255 | } 256 | 257 | if (!GetCurrentDirectory(dwBufferLength, lpBuffer)) { 258 | retCode = GetLastError(); 259 | fwprintf(stderr, L"Failed to query current directory length: %08X\n", retCode); 260 | 261 | free(lpBuffer); 262 | lpBuffer = NULL; 263 | 264 | return retCode; 265 | } 266 | 267 | wcsncat_s(lpBuffer, dwBufferLength + wcslen(lpDriverName) + 1, L"\\", wcslen(L"\\")); 268 | wcsncat_s(lpBuffer, dwBufferLength + wcslen(lpDriverName) + 1, lpDriverName, wcslen(lpDriverName)); 269 | 270 | fwprintf(stdout, L"Absolute of the driver to load: %lS\n", lpBuffer); 271 | } 272 | 273 | ManageDriver(lpBuffer, ALTSYSCALL_SERVICE_NAMEW, ALTSYSCALL_SERVICE_INSTALL); 274 | 275 | free(lpBuffer); 276 | lpBuffer = NULL; 277 | } else if (_strnicmp(argv[1], "unload", strlen("unload")) == 0) { 278 | ManageDriver(L"", ALTSYSCALL_SERVICE_NAMEW, ALTSYSCALL_SERVICE_UNINSTALL); 279 | } else { 280 | dwPid = strtoul(argv[1], NULL, 10); 281 | if (0 == dwPid) { 282 | retCode = GetLastError(); 283 | fwprintf(stderr, L"Failed to convert %hs to a number: %08X\n", argv[1], retCode); 284 | 285 | return retCode; 286 | } else if (ULONG_MAX == dwPid) { 287 | retCode = GetLastError(); 288 | fwprintf(stderr, L"Failed to convert %hs to a number, overflow\n", argv[1]); 289 | 290 | return retCode; 291 | } else if (!_get_errno(&intErrNo) && (intErrNo == ERANGE)) { 292 | retCode = GetLastError(); 293 | fwprintf(stderr, L"Failed to convert %hs to a number, errno out of range: %08X\n", argv[1], retCode); 294 | 295 | return retCode; 296 | } else { 297 | fwprintf(stdout, L"Monitor PID: %lu\n", dwPid); 298 | 299 | hDevice = CreateFile(ALTSYSCALL_DEVICE_NAMEW, 300 | GENERIC_READ | GENERIC_WRITE, 301 | 0, 302 | NULL, 303 | CREATE_ALWAYS, 304 | FILE_ATTRIBUTE_NORMAL, 305 | NULL); 306 | 307 | if (hDevice == INVALID_HANDLE_VALUE) { 308 | retCode = GetLastError(); 309 | fwprintf(stderr, L"Failed to open device : %08X\n", retCode); 310 | 311 | return retCode; 312 | } 313 | 314 | pid = UlongToHandle(dwPid); 315 | bRet = DeviceIoControl(hDevice, 316 | ALTSYSCALL_MONITOR_IOCTL, 317 | &pid, 318 | sizeof(HANDLE), 319 | NULL, 320 | 0, 321 | &dwBytesReturned, 322 | NULL 323 | ); 324 | 325 | if (!bRet) { 326 | retCode = GetLastError(); 327 | fwprintf(stderr, L"Failed to send PID for monitoring: %08X\n", retCode); 328 | 329 | return retCode; 330 | } 331 | } 332 | } 333 | } else { 334 | fwprintf(stdout, L"Usage: %hs \n", argv[0]); 335 | } 336 | 337 | return retCode; 338 | } -------------------------------------------------------------------------------- /AltSyscallClient/AltSyscallClient.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.29409.12 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "AltSyscallClient", "AltSyscallClient.vcxproj", "{4BF480D5-A4CF-411F-B2B6-317BC5526675}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Release|x64 = Release|x64 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {4BF480D5-A4CF-411F-B2B6-317BC5526675}.Debug|x64.ActiveCfg = Debug|x64 15 | {4BF480D5-A4CF-411F-B2B6-317BC5526675}.Debug|x64.Build.0 = Debug|x64 16 | {4BF480D5-A4CF-411F-B2B6-317BC5526675}.Release|x64.ActiveCfg = Release|x64 17 | {4BF480D5-A4CF-411F-B2B6-317BC5526675}.Release|x64.Build.0 = Release|x64 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {5EB1E24E-880D-4DC8-AD36-EE03BE3C9013} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /AltSyscallClient/AltSyscallClient.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | x64 7 | 8 | 9 | Release 10 | x64 11 | 12 | 13 | 14 | 15 | 16 | 17 | {4BF480D5-A4CF-411F-B2B6-317BC5526675} 18 | {504102d4-2172-473c-8adf-cd96e308f257} 19 | v4.5 20 | 12.0 21 | Debug 22 | Win32 23 | AltSyscallClient 24 | 25 | 26 | 27 | Windows10 28 | true 29 | WindowsApplicationForDrivers10.0 30 | Application 31 | Universal 32 | Unicode 33 | false 34 | 35 | 36 | Windows10 37 | false 38 | WindowsApplicationForDrivers10.0 39 | Application 40 | Universal 41 | Unicode 42 | false 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | ..\AltSyscallDriver\;$(IncludePath) 53 | 54 | 55 | $(VC_IncludePath);$(WindowsSDK_IncludePath);..\AltSyscallDriver\ 56 | 57 | 58 | 59 | _DEBUG;WINAPI_FAMILY=WINAPI_FAMILY_DESKTOP_APP;WINAPI_PARTITION_DESKTOP=1;WINAPI_PARTITION_SYSTEM=1;WINAPI_PARTITION_APP=1;WINAPI_PARTITION_PC_APP=1;%(PreprocessorDefinitions) 60 | MultiThreaded 61 | C:\Program Files %28x86%29\Windows Kits\10\Include\10.0.18362.0\km;%(AdditionalIncludeDirectories) 62 | 63 | 64 | %(AdditionalDependencies);onecoreuap.lib 65 | 66 | 67 | 68 | 69 | WINAPI_FAMILY=WINAPI_FAMILY_DESKTOP_APP;WINAPI_PARTITION_DESKTOP=1;WINAPI_PARTITION_SYSTEM=1;WINAPI_PARTITION_APP=1;WINAPI_PARTITION_PC_APP=1;%(PreprocessorDefinitions) 70 | MultiThreaded 71 | C:\Program Files %28x86%29\Windows Kits\10\Include\10.0.18362.0\km;%(AdditionalIncludeDirectories) 72 | 73 | 74 | %(AdditionalDependencies);onecoreuap.lib 75 | 76 | 77 | 78 | 79 | 80 | -------------------------------------------------------------------------------- /AltSyscallClient/AltSyscallClient.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /AltSyscallDriver/AltSyscall.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #include "AltSyscall.h" 5 | 6 | 7 | typedef 8 | BOOLEAN 9 | ALT_SYSCALL_HANDLER( 10 | _In_ PKTRAP_FRAME 11 | ); 12 | 13 | typedef ALT_SYSCALL_HANDLER* PALT_SYSCALL_HANDLERD; 14 | typedef NTSTATUS(*PsRegisterAltSystemCallHandler)(ALT_SYSCALL_HANDLER, int); 15 | 16 | /* 17 | Not in the WDK, we will obtain it dynamically. Second Parameter should be PROCESS_INFORMATION_CLASS, 18 | for now we will hardcode the value to 0x64 which is the value necessary to enable SystemCall Handling in the process. 19 | We use Zw instead of Nt, because we need the PreviousMode to be KernelMode not UserMode 20 | */ 21 | typedef NTSTATUS (*ZwSetInformationProcess)(HANDLE, ULONG, PVOID, ULONG); 22 | 23 | // Driver init and unload functions 24 | DRIVER_INITIALIZE DriverEntry; 25 | DRIVER_UNLOAD DriverUnload; 26 | 27 | // Driver dispatch functions 28 | _Dispatch_type_(IRP_MJ_CREATE) 29 | _Dispatch_type_(IRP_MJ_CLOSE) 30 | DRIVER_DISPATCH AltSyscallCreateClose; 31 | 32 | _Dispatch_type_(IRP_MJ_DEVICE_CONTROL) 33 | DRIVER_DISPATCH AltSyscallDeviceControl; 34 | 35 | NTSTATUS 36 | RegisterSyscallHandler( 37 | ALT_SYSCALL_HANDLER CallbackFunction 38 | ); 39 | _Success_(return == TRUE) 40 | ALT_SYSCALL_HANDLER SystemCallCallback; 41 | 42 | 43 | #ifdef ALLOC_PRAGMA 44 | #pragma alloc_text(INIT, DriverEntry) 45 | #pragma alloc_text(PAGE, DriverUnload) 46 | #pragma alloc_text(PAGE, AltSyscallCreateClose) 47 | #pragma alloc_text(PAGE, AltSyscallDeviceControl) 48 | #pragma alloc_text(PAGE, RegisterSyscallHandler) 49 | #endif // ALLOC_PRAGMA 50 | 51 | NTSTATUS 52 | DriverEntry( 53 | _In_ PDRIVER_OBJECT DriverObject, 54 | _In_ PUNICODE_STRING RegistryPath 55 | ) 56 | { 57 | UNREFERENCED_PARAMETER(RegistryPath); 58 | 59 | NTSTATUS status; 60 | UNICODE_STRING ntUnicodeString; 61 | UNICODE_STRING ntWin32NameString; 62 | PDEVICE_OBJECT deviceObject = NULL; 63 | 64 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "[AltSyscall] Driver loading started\n"); 65 | 66 | RtlInitUnicodeString(&ntUnicodeString, ALT_SYSCALL_NT_DEVICE_NAME); 67 | 68 | status = IoCreateDevice( 69 | DriverObject, 70 | 0, 71 | &ntUnicodeString, 72 | FILE_DEVICE_UNKNOWN, 73 | FILE_DEVICE_SECURE_OPEN, 74 | FALSE, 75 | &deviceObject); 76 | 77 | if (!NT_SUCCESS(status)) 78 | { 79 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[AltSyscall] Failed to create device: %#X\n", status); 80 | return status; 81 | } 82 | 83 | DriverObject->DriverUnload = DriverUnload; 84 | DriverObject->MajorFunction[IRP_MJ_CREATE] = AltSyscallCreateClose; 85 | DriverObject->MajorFunction[IRP_MJ_CLOSE] = AltSyscallCreateClose; 86 | DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = AltSyscallDeviceControl; 87 | 88 | RtlInitUnicodeString(&ntWin32NameString, ALT_SYSCALL_DOS_DEVICE_NAME); 89 | 90 | status = IoCreateSymbolicLink(&ntWin32NameString, &ntUnicodeString); 91 | 92 | if (!NT_SUCCESS(status)) 93 | { 94 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[AltSyscall] Failed to create symbolic link: %#X\n", status); 95 | IoDeleteDevice(deviceObject); 96 | } 97 | /* 98 | The handler can only be registered one time, that's why we are doing it on the DriverEntry. 99 | If we call PsRegisterAltSystemCallHandler with a handler already register we will get a Bug Check 0x1E0 100 | Also we must find a way to check if this handler is alredy set and a way to clear it 101 | */ 102 | status = RegisterSyscallHandler(SystemCallCallback); 103 | 104 | if (!NT_SUCCESS(status)) { 105 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[AltSyscall] Error trying to register the Syscall handler\n"); 106 | IoDeleteDevice(deviceObject); 107 | } 108 | 109 | return status; 110 | } 111 | 112 | VOID 113 | DriverUnload( 114 | _In_ PDRIVER_OBJECT DriverObject 115 | ) 116 | { 117 | 118 | PAGED_CODE(); 119 | 120 | PDEVICE_OBJECT deviceObject = DriverObject->DeviceObject; 121 | UNICODE_STRING uniWin32NameString; 122 | 123 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "[AltSyscall] Driver unloading started\n"); 124 | 125 | RtlInitUnicodeString(&uniWin32NameString, ALT_SYSCALL_DOS_DEVICE_NAME); 126 | IoDeleteSymbolicLink(&uniWin32NameString); 127 | if (deviceObject != NULL) 128 | { 129 | IoDeleteDevice(deviceObject); 130 | } 131 | 132 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "[AltSyscall] Driver unloading finished\n"); 133 | } 134 | 135 | NTSTATUS 136 | AltSyscallCreateClose( 137 | PDEVICE_OBJECT DeviceObject, 138 | PIRP Irp 139 | ) 140 | { 141 | UNREFERENCED_PARAMETER(DeviceObject); 142 | 143 | PAGED_CODE(); 144 | 145 | Irp->IoStatus.Status = STATUS_SUCCESS; 146 | Irp->IoStatus.Information = 0; 147 | 148 | IoCompleteRequest(Irp, IO_NO_INCREMENT); 149 | 150 | return STATUS_SUCCESS; 151 | } 152 | 153 | 154 | NTSTATUS 155 | AltSyscallDeviceControl( 156 | PDEVICE_OBJECT DeviceObject, 157 | PIRP Irp 158 | ) 159 | { 160 | UNREFERENCED_PARAMETER(DeviceObject); 161 | 162 | PAGED_CODE(); 163 | 164 | PIO_STACK_LOCATION pIoCurrStackLocation; 165 | NTSTATUS status = STATUS_SUCCESS; 166 | ULONG inBufLength; 167 | PHANDLE inBuf; 168 | HANDLE pHandle; 169 | CLIENT_ID clientId; 170 | HANDLE processInfo; 171 | OBJECT_ATTRIBUTES objectAttributes; 172 | UNICODE_STRING funcName; 173 | ZwSetInformationProcess pZwSetInformationProcess; 174 | 175 | pIoCurrStackLocation = IoGetCurrentIrpStackLocation(Irp); 176 | inBufLength = pIoCurrStackLocation->Parameters.DeviceIoControl.InputBufferLength; 177 | 178 | if (!inBufLength) { 179 | status = STATUS_INVALID_PARAMETER; 180 | goto End; 181 | } 182 | 183 | switch (pIoCurrStackLocation->Parameters.DeviceIoControl.IoControlCode) { 184 | case IOCTL_ALT_SYSCALL_DRIVER: 185 | inBuf = (PHANDLE) Irp->AssociatedIrp.SystemBuffer; 186 | 187 | clientId.UniqueProcess = *inBuf; 188 | clientId.UniqueThread = 0; 189 | InitializeObjectAttributes(&objectAttributes, NULL, 0, NULL, NULL); 190 | 191 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "[AltSyscall] Monitor process PID: %zu\n", (ULONG64)clientId.UniqueProcess); 192 | 193 | status = ZwOpenProcess(&pHandle, PROCESS_ALL_ACCESS, &objectAttributes, &clientId); 194 | if (!NT_SUCCESS(status)) { 195 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[AltSyscall] Error getting HANDLE for process PID: %zu\n", (ULONG64)clientId.UniqueProcess); 196 | 197 | Irp->IoStatus.Information = 0; 198 | goto End; 199 | } 200 | 201 | RtlInitUnicodeString(&funcName, L"ZwSetInformationProcess"); 202 | pZwSetInformationProcess = (ZwSetInformationProcess)MmGetSystemRoutineAddress(&funcName); 203 | if (NULL == pZwSetInformationProcess) { 204 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[AltSyscall] Failed obtaining address of ZwSetInformationProcess\n"); 205 | 206 | ObCloseHandle(pHandle, KernelMode); 207 | Irp->IoStatus.Information = 0; 208 | goto End; 209 | } 210 | 211 | processInfo = (HANDLE)clientId.UniqueProcess; 212 | status = pZwSetInformationProcess(pHandle, 0x64, &processInfo, 1); 213 | if (!NT_SUCCESS(status)) { 214 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[AltSyscall] Error setting process information: %08X\n", status); 215 | 216 | ObCloseHandle(pHandle, KernelMode); 217 | Irp->IoStatus.Information = 0; 218 | goto End; 219 | } 220 | 221 | ObCloseHandle(pHandle, KernelMode); 222 | 223 | break; 224 | default: 225 | status = STATUS_INVALID_DEVICE_REQUEST; 226 | Irp->IoStatus.Information = 0; 227 | 228 | break; 229 | } 230 | 231 | End: 232 | Irp->IoStatus.Status = status; 233 | IoCompleteRequest(Irp, IO_NO_INCREMENT); 234 | 235 | return status; 236 | } 237 | 238 | NTSTATUS 239 | RegisterSyscallHandler( 240 | ALT_SYSCALL_HANDLER CallbackFunction 241 | ) 242 | { 243 | PAGED_CODE(); 244 | 245 | NTSTATUS status; 246 | UNICODE_STRING funcName; 247 | PsRegisterAltSystemCallHandler pPsRegisterAltSystemCallHandler; 248 | 249 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "[AltSyscall] Registering Syscall handler\n"); 250 | 251 | RtlInitUnicodeString(&funcName, L"PsRegisterAltSystemCallHandler"); 252 | pPsRegisterAltSystemCallHandler = (PsRegisterAltSystemCallHandler)MmGetSystemRoutineAddress(&funcName); 253 | if (NULL == pPsRegisterAltSystemCallHandler) { 254 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[AltSyscall] Failed obtaining address of PsRegisterAltSystemCallHandler\n"); 255 | 256 | return STATUS_PROCEDURE_NOT_FOUND; 257 | } 258 | status = pPsRegisterAltSystemCallHandler(&CallbackFunction, 1); 259 | 260 | if (!NT_SUCCESS(status)) { 261 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[AltSyscall] Error registering Syscall Handler\n"); 262 | 263 | return STATUS_UNSUCCESSFUL; 264 | } 265 | 266 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "[AltSyscall] Syscall handler registered successfully\n"); 267 | 268 | return status; 269 | } 270 | 271 | BOOLEAN 272 | SystemCallCallback( 273 | _In_ PKTRAP_FRAME TrapFrame 274 | ) 275 | { 276 | // Keeping the syscall number in a local variable, trying to print it directly from the trap frame crashes the process, that's weird, why!? 277 | ULONG64 SyscallNum = TrapFrame->Rax; 278 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "[AltSyscall] Syscall handler -> Syscall(%#04llx)\n", SyscallNum); 279 | 280 | return TRUE; 281 | } -------------------------------------------------------------------------------- /AltSyscallDriver/AltSyscall.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define ALT_SYSCALL_NT_DEVICE_NAME L"\\Device\\AltSyscall" 4 | #define ALT_SYSCALL_DOS_DEVICE_NAME L"\\DosDevices\\AltSyscall" 5 | 6 | #define IOCTL_ALT_SYSCALL_DRIVER\ 7 | CTL_CODE( FILE_DEVICE_UNKNOWN, 0x993, METHOD_BUFFERED, FILE_ANY_ACCESS ) 8 | 9 | #define DRIVER_NAME L"AltSyscall.sys" 10 | -------------------------------------------------------------------------------- /AltSyscallDriver/AltSyscallDriver.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; AltSyscallDriver.inf 3 | ; 4 | 5 | [Version] 6 | Signature="$WINDOWS NT$" 7 | Class=System 8 | ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318} 9 | Provider=%ManufacturerName% 10 | DriverVer= 11 | CatalogFile=AltSyscallDriver.cat 12 | 13 | [DestinationDirs] 14 | DefaultDestDir = 12 15 | 16 | 17 | [SourceDisksNames] 18 | 1 = %DiskName%,,,"" 19 | 20 | [SourceDisksFiles] 21 | 22 | 23 | [Manufacturer] 24 | %ManufacturerName%=Standard,NT$ARCH$ 25 | 26 | [Standard.NT$ARCH$] 27 | 28 | 29 | [Strings] 30 | ManufacturerName="" ;TODO: Replace with your manufacturer name 31 | ClassName="" 32 | DiskName="AltSyscallDriver Source Disk" 33 | -------------------------------------------------------------------------------- /AltSyscallDriver/AltSyscallDriver.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.29326.143 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "AltSyscallDriver", "AltSyscallDriver.vcxproj", "{65B9BD41-96AC-45E3-B7B5-C30EDE97ADB1}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {65B9BD41-96AC-45E3-B7B5-C30EDE97ADB1}.Debug|x64.ActiveCfg = Debug|x64 17 | {65B9BD41-96AC-45E3-B7B5-C30EDE97ADB1}.Debug|x64.Build.0 = Debug|x64 18 | {65B9BD41-96AC-45E3-B7B5-C30EDE97ADB1}.Debug|x64.Deploy.0 = Debug|x64 19 | {65B9BD41-96AC-45E3-B7B5-C30EDE97ADB1}.Debug|x86.ActiveCfg = Debug|Win32 20 | {65B9BD41-96AC-45E3-B7B5-C30EDE97ADB1}.Debug|x86.Build.0 = Debug|Win32 21 | {65B9BD41-96AC-45E3-B7B5-C30EDE97ADB1}.Debug|x86.Deploy.0 = Debug|Win32 22 | {65B9BD41-96AC-45E3-B7B5-C30EDE97ADB1}.Release|x64.ActiveCfg = Release|x64 23 | {65B9BD41-96AC-45E3-B7B5-C30EDE97ADB1}.Release|x64.Build.0 = Release|x64 24 | {65B9BD41-96AC-45E3-B7B5-C30EDE97ADB1}.Release|x64.Deploy.0 = Release|x64 25 | {65B9BD41-96AC-45E3-B7B5-C30EDE97ADB1}.Release|x86.ActiveCfg = Release|Win32 26 | {65B9BD41-96AC-45E3-B7B5-C30EDE97ADB1}.Release|x86.Build.0 = Release|Win32 27 | {65B9BD41-96AC-45E3-B7B5-C30EDE97ADB1}.Release|x86.Deploy.0 = Release|Win32 28 | EndGlobalSection 29 | GlobalSection(SolutionProperties) = preSolution 30 | HideSolutionNode = FALSE 31 | EndGlobalSection 32 | GlobalSection(ExtensibilityGlobals) = postSolution 33 | SolutionGuid = {0B7DEBF0-BC24-4465-B528-93FEED6A2759} 34 | EndGlobalSection 35 | EndGlobal 36 | -------------------------------------------------------------------------------- /AltSyscallDriver/AltSyscallDriver.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | Debug 22 | ARM 23 | 24 | 25 | Release 26 | ARM 27 | 28 | 29 | Debug 30 | ARM64 31 | 32 | 33 | Release 34 | ARM64 35 | 36 | 37 | 38 | {65B9BD41-96AC-45E3-B7B5-C30EDE97ADB1} 39 | {dd38f7fc-d7bd-488b-9242-7d8754cde80d} 40 | v4.5 41 | 12.0 42 | Debug 43 | Win32 44 | AltSyscallDriver 45 | $(LatestTargetPlatformVersion) 46 | 47 | 48 | 49 | Windows10 50 | true 51 | WindowsKernelModeDriver10.0 52 | Driver 53 | WDM 54 | 55 | 56 | Windows10 57 | false 58 | WindowsKernelModeDriver10.0 59 | Driver 60 | WDM 61 | 62 | 63 | Windows10 64 | true 65 | WindowsKernelModeDriver10.0 66 | Driver 67 | WDM 68 | 69 | 70 | Windows10 71 | false 72 | WindowsKernelModeDriver10.0 73 | Driver 74 | WDM 75 | 76 | 77 | Windows10 78 | true 79 | WindowsKernelModeDriver10.0 80 | Driver 81 | WDM 82 | 83 | 84 | Windows10 85 | false 86 | WindowsKernelModeDriver10.0 87 | Driver 88 | WDM 89 | 90 | 91 | Windows10 92 | true 93 | WindowsKernelModeDriver10.0 94 | Driver 95 | WDM 96 | 97 | 98 | Windows10 99 | false 100 | WindowsKernelModeDriver10.0 101 | Driver 102 | WDM 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | DbgengKernelDebugger 114 | 115 | 116 | DbgengKernelDebugger 117 | 118 | 119 | DbgengKernelDebugger 120 | AltSyscall 121 | true 122 | 123 | 124 | DbgengKernelDebugger 125 | 126 | 127 | DbgengKernelDebugger 128 | 129 | 130 | DbgengKernelDebugger 131 | 132 | 133 | DbgengKernelDebugger 134 | 135 | 136 | DbgengKernelDebugger 137 | 138 | 139 | 140 | %(AdditionalDependencies) 141 | 142 | 143 | false 144 | 145 | 146 | 147 | 148 | false 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | -------------------------------------------------------------------------------- /AltSyscallDriver/AltSyscallDriver.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {8E41214B-6785-4CFE-B992-037D68949A14} 18 | inf;inv;inx;mof;mc; 19 | 20 | 21 | 22 | 23 | Driver Files 24 | 25 | 26 | 27 | 28 | Source Files 29 | 30 | 31 | 32 | 33 | Header Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # WinAltSyscallHandler 2 | Some research on AltSystemCallHandlers functionality in Windows 10 20H1 18999 3 | 4 | ---------------------------------------------------------------------------- 5 | 6 | `PsAltSystemCallHandlers` is an array of 2 members. 7 | We cannot change the first member using `PsRegisterAltSystemCallHandler` because it checks for the index value. First member is reserved for `Pico` processes. 8 | Also, if second member was already initialized, expect a bug check - 0x1e0. 9 | 10 | First member is initialized to `PsPicoAltSystemCallDispatch` in `IoInitSystemPreDrivers`. 11 | The second member can be a pointer to a function, but also a value like 0 or 1. 12 | The value 1 is present when initialized by `PsNotifyCoreDriversInitialized` and it will not be possible to enable system call handling because `PspEnableAltSystemCallHandling` will return `STATUS_UNSUCCESSFUL` and 0 is the default value. 13 | 14 | In `PsAltSystemCallDispatch` the handler is called based on the value from `KeGetCurrentThread()->Header.DebugActive`. If it has the 3rd bit (`DebugActive.Minimal`) set to 1, then the first handler is called (`PsPicoAltSystemCallDispatch`). 15 | Otherwise if the the 6th bit (`DebugActive.AltSyscall`) is set to 1, then the second handler is called (The one we can register with `PsRegisterAltSystemCallHandler`). In any other case the kernel will crash with bug check = 0x1e0. 16 | 17 | `PsAltSystemCallDispatch` is called from `KiSystemCall64`. We determined that the argument to `PsAltSystemCallDispatch` is the `KTRAP_FRAME`, which later is passed as the only argument to our registered handler. Syscall number is on `rcx+30`, which is the offset pointing to `rax` in the [`KTRAP_FRAME`](https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1903%2019H1%20(May%202019%20Update)/_KTRAP_FRAME)) obtained during the transition from ring 3 to ring 0 in `KiSystemCall64`. 18 | [More info on the KTRAP_FRAME](https://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/ktrap_frame.htm) 19 | 20 | `PspEnableAltSystemCallHandling` is called from `NtSetInformationProcess`. As can be seen on the following image: 21 | 22 | ![PspEnableAltSystemCallHandling](images/PspEnableAltSystemCallHandling.png) 23 | 24 | `NtSetInformationProcess` must be called with `PreviousMode == KernelMode` if this is not the case it will return `STATUS_ACCESS_DENIED`, to achieve this we will use the call to `ZwSetInformationProcess` (More about [PreviousMode](https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/previousmode)). The arguments `NtSetInformationProcess` have to be: 25 | ``` 26 | Argument 4(ProcessInformationLength): 1 27 | Argument 3(ProcessInformation): self explanatory 28 | Argument 2(ProcessInformationClass): 0x64 29 | Argument 1(ProcessHandle): self explanatory 30 | ``` 31 | The value passed in `ProcessInformation` doesn't really matter, but it must not be `NULL`. 32 | 33 | ## DISCLAIMER 34 | 35 | The tool is only for research purpose, this means it is not very well tested and we're NOT responsible for any possible damage. Feel free to open a pull request if you observe any bug(s) and/or have any improvements. 36 | 37 | ## FOUND ISSUES 38 | 39 | - We observed that accessing directly the value in `Rax` member of `KTRAP_FRAME` was crashing the monitored process when logging it's value. So now we keep that value in a local variable. We're not sure why was that happening. 40 | 41 | - `NtSetInformationProcess` sometimes returns `ERROR_INVALID_PARAMETER` when trying to enable monitoring. It's not clear to us why it was failing. 42 | 43 | - ~~It looks like this feature is not "finished?"/functional because `PatchGuard` doesn't like if you modify `PsAltSystemCallHandlers` array.~~ 44 | ![PatchGuard GSoD](images/gsod.png) 45 | 46 | - ~~There's no simple way(one function) to unregister the syscall handler. That's going back to the observation that it's probably an unfinished feature.~~ 47 | 48 | ## UPDATES 49 | 50 | 1) Thanks to [Yarden Shafir](https://twitter.com/yarden_shafir) for the info regarding the last two issues. Basically the problem is not that the feature is "incomplete" is rather a design issue. For now, this feature is only intended to be used by Windows Defender. So the Windows Defender driver runs as a core driver, which means that is loaded before PG is activated, so it can register a handler safely, and for this same reason there is no way to unregister the function, because only Windows Defender can register a handler there, so it doesn't need to unregister it. 51 | 52 | Having this in mind, until Microsoft decide to "open" this feature **the only way to use the tool would be starting the machine under a debugger (WinDbg) or using a tool like [EfiGuard](https://github.com/Mattiwatti/EfiGuard) to disable PatchGuard** 53 | 54 | Again big thanks to [Yarden Shafir](https://twitter.com/yarden_shafir) for sharing this info :) 55 | 56 | 2) In the near future we'll research the idea of detecting by *yourself*(an `user space` executable) the fact that your actions are monitored by an `AltSyscallHandler`. 57 | 58 | 59 | ## CONCLUSION 60 | 61 | Regarding the prototype of the handler, we're not sure about the returning value. It looks like `1`\\`TRUE` works fine but `PsPicoAltSystemCallDispatch` handler actually returns the syscall number but we are not experts on PICO processes, maybe for next research :) 62 | 63 | We can't wait to see this feature in a stable version of Windows, we strongly believe AV products and researchers will be able to benefit a lot from this, (Going back to hooking syscalls! We don't know if this is good or bad thou) also we want to see how Microsoft will expose the API to use this feature. 64 | 65 | ![POC](images/poc.jpg) 66 | 67 | - [@n4r1B](https://twitter.com/n4r1B) 68 | - [@0xcpu](https://twitter.com/0xcpu) 69 | -------------------------------------------------------------------------------- /images/PspEnableAltSystemCallHandling.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xcpu/WinAltSyscallHandler/357a195b2eeac220a4d482a8fc7242da5941c2f6/images/PspEnableAltSystemCallHandling.png -------------------------------------------------------------------------------- /images/gsod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xcpu/WinAltSyscallHandler/357a195b2eeac220a4d482a8fc7242da5941c2f6/images/gsod.png -------------------------------------------------------------------------------- /images/poc.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xcpu/WinAltSyscallHandler/357a195b2eeac220a4d482a8fc7242da5941c2f6/images/poc.jpg --------------------------------------------------------------------------------